This disclosure relates generally to patient monitors and physiological sensors used for acquiring electrophysiological signals from a subject. More particularly, this disclosure relates to a detection or protection mechanism that may be employed to detect non-authentic and/or unauthorized sensors and to prevent the use of such sensors in patient monitors.
A prerequisite of patient care is that accurate and reliable measurements can be made from the patient to evaluate the patient's state. Since a patient monitor connected to a sensor may perform rather complex calculations based on the physiological signals acquired through the sensor and since the results obtained may depend on a variety of parameters related to the sensor, it is important that the sensor fulfills certain quality standards and is thus authorized to be used in the patient monitor for the measurement in question. The use of low quality sensors may lead to inaccurate and/or unreliable results, which may in turn contribute to incorrect medical decisions and even risk patient safety. It is therefore common practice to provide a sensor/monitor system with a detection mechanism that detects unauthorized and/or counterfeited sensors that may involve, if used in a patient monitor, the above drawbacks and risks.
In order to keep the sensors technically uncomplex and the production costs low, it is desirable to use a generic memory sensor, i.e. a sensor that does not include any intelligence or data processing capability for its validation and for preventing the use of unauthorized sensors in connection with the patient monitor. A generic memory sensor thus here refers to a sensor provided with a generic memory from which the patient monitor may read data and into which the monitor may write updated data. That is, the sensor memory is a plain memory with no customized parts and with no associated intelligence or data processing capability. The intelligence is typically in the patient monitor which may retrieve the sensor memory data for various purposes, process the data, and store updated data into the sensor memory.
One common way to impede illegal copying of the sensors is to make each sensor different by using a sensor-specific identifier in each sensor. This is typically a non-erasable serial number stored in the sensor memory. The serial number may be written in the memory already at the manufacture stage of the memory. Various encryption mechanisms may also be used for encrypting the sensor memory data or part thereof, and the serial number may serve as the seed value for the encryption. Encryption effectively prohibits any such copying of the sensor that calls for preceding decryption of the sensor memory data.
In addition to the sensors being provided with an encrypted memory, the patient monitors may be provided with various verification algorithms for verifying that an authorized sensor is connected to the monitor.
In one sensor system, the associated monitor is provided with authentication software for authenticating the sensor connected to the monitor. The sensor includes a memory that may include various information concerning the origin and manufacture of the sensor, such as a manufacturer code, the sensor serial number, the sensor type code, and the usage count. All or part of the memory content may be in encrypted form. The monitor uses the data stored in the sensor to authenticate the sensor. If the sensor cannot be authenticated, the monitor software prohibits the use of the sensor in the monitor. The monitor may also use the serial number to maintain a usage counter for each sensor that is authenticated by the monitor. The value of the usage counter, i.e. the number of times that the sensor has been authenticated, provides a defense mechanism against multiple unauthorized sensors manufactured with the same serial number. A mirror usage counter is maintained in the sensor memory and the sensor and monitor usage counters are synchronized to the minimum of uses remaining between the two. The usage count thus reflects the sum of all prior sensor usage independent of the monitor. That is, the number of times that a sensor with a certain serial number can be used can be limited to a certain maximum that may be set in view of the lifetime of the sensor.
Various other data security mechanisms may also be used between the sensor and the monitor. For example, digital signatures stored in the sensor memory and cryptographic hash values (message digests) determined by the monitor may be used to verify both the authenticity of the sensor and the integrity of the sensor memory data.
A major drawback related to the use of the generic memory sensors is that there are no efficient technical mechanisms to prevent the use of sensors which have been copied without first decrypting the sensor memory data. Copying a memory can be done without any understanding of the memory content, and encryption does not help as such. That is, if a binary bulk copy is taken from the original sensor memory data, the copied sensor may be connected to the associated patient monitor without the monitor detecting that the sensor is actually an unauthorized sensor.